Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Trovi Virus - help to remove please

17 Jul 2014   #91
Tousdae

Windows 7 Professional 64 bit
 
 


File name:askslib.dll


Publisher:Ask.com (signed and verified)


Product:AskIC Dynamic Link Library


Version:9.9.9.9


MD5:b28c334c03cee7c5e829c43ae75dae5a


SHA-1:71435ddb11e00d0243380c4902324853fe4ece8f


SHA-256:b2e9e737eb5dcee0a8d8d1e36d6b171efbda18bbdb18033498035cdd52913401


Analysis
Scanner detections:
3 / 68


Status:
Potentially unwanted


Analysis date:
3/21/2014 6:26:22 PM UTC (three months ago)


Scan engine
Detection
Engine version


Boost by Reason
Adware.Ask.H
2013.8.29.0


ESET NOD32
Win32/Bundled.Toolbar.Ask (variant)
7.9133


Reason Heuristics
PUP.Ask.H
14.3.21.14


File Details
File size:
242.2 KB (248,008 bytes)


Product version:
9.9.9.9


Copyright:
Copyright (C) Ask 2012


Original file name:
AskIC.dll


File type:
Dynamic link library (Win32 DLL)


Language:
English (United States)


Common path:
C:\users\user\appdata\local\temp\askslib.dll


Digital Signature
Signed by:
Ask.com


Authority:
VeriSign, Inc.


Valid from:
6/19/2011 5:00:00 PM


Valid to:
6/18/2014 4:59:59 PM


Subject:
CN=Ask.com, OU=Distribution, OU=Digital ID Class 3 - Microsoft Software Validation v2, O=Ask.com, L=Oakland, S=California, C=US


Issuer:
CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US


Serial number:
0965F2AC7236C7E1BDCA44ED139B273A


File PE Metadata
Compilation timestamp:
8/22/2012 8:37:23 PM


OS version:
5.0


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
9.0


CTPH (ssdeep):
3072:5qVcBJqeLnzl2hxxIvEX89+dsUk71rSteEj3HdC4Qsqz3nC2DwkV4gcIyxUY49Tc:5W07Lnzl2lI28o+Uk71P4Qh3JYXs4


Entry address:
0x180FC


Entry point:
8B, FF, 55, 8B, EC, 83, 7D, 0C, 01, 75, 05, E8, BF, A3, 00, 00, FF, 75, 08, 8B, 4D, 10, 8B, 55, 0C, E8, EC, FE, FF, FF, 59, 5D, C2, 0C, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 85, C0, 74, 12, 83, E8, 08, 81, 38, DD, DD, 00, 00, 75, 07, 50, E8, 27, C8, FF, FF, 59, 5D, C3, 8B, FF, 55, 8B, EC, 83, EC, 14, A1, 40, 78, 03, 10, 33, C5, 89, 45, FC, 53, 56, 33, DB, 57, 8B, F1, 39, 1D, 4C, 90, 03, 10, 75, 38, 53, 53, 33, FF, 47, 57, 68, 14, 01, 03, 10, 68, 00, 01, 00, 00, 53, FF, 15, B0, C1, 02, 10, 85, C0, 74, 08, 89...
[+]



Entropy:
6.5336


Code size:
171.5 KB (175,616 bytes)


Variants
There are 5 known versions of askslib.dll by Ask.com.


3 / 68 (PUP)
askslib.dll 9.9.9.9 (090b6cdbda1fca4e5ea5ceebe75da1b0122a6f4a)


3 / 68 (PUP)
askslib.dll 5.1.2.0 (eeaa8e7cbf57449ab12ab62b19a60c7ece9c975b)


4 / 68 (PUP)
askslib.dll 5.1.1.0 (40e49124ad0b55a25f947333ca88e9d0bc30a7e3)


3 / 68 (PUP)
askslib.dll 4.2.0.0 (81c2c3354f11ece49d7667538cefe9f2b2395319)


2 / 68 (PUP)
askslib.dll 3.0.0.0 (1eff205d7d0d82baf841a98c176d700114e13fe6)


Related
3 / 68 (PUP)
apnic.dll (e32aa2e78d2c8f0e9316080e71a714befe851e6c)


My System SpecsSystem Spec
.
17 Jul 2014   #92
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

Ok, thanks, now do the same thing, click... details...post for the other three files.

I have a link to get rid of Ask.

Let me know about the other files first and then you can get rid of Ask.

edit: This is looking very good. I think once you get rid of Ask, I'll post the housekeeping tasks and you'll be done.
My System SpecsSystem Spec
17 Jul 2014   #93
Tousdae

Windows 7 Professional 64 bit
 
 

File name:quarantine.exe


MD5:10ce1874520612e5f9bdc21c962aef1b


SHA-1:797a6d631d6a19f7e556bdbd7ef17d11fb648406


SHA-256:8b72f75687da4a6c80c41cf380fc1b5557334d67aab49c8ba16a101c80b36f79


Analysis
Scanner detections:
3 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/14/2014 5:03:29 AM UTC (four months ago)


Scan engine
Detection
Engine version


Antiy Labs AVL
Trojan/Win32.Agent
0.1.0.1


Jiangmin
Trojan/MSIL.bfsx
KV140314


Norman
Injector.GCAC
10.20140314


File Details
File size:
896.5 KB (918,016 bytes)


File type:
Executable application (Win32 EXE)


Language:
English (United Kingdom)


Common path:
C:\users\user\appdata\local\temp\quarantine.exe


File PE Metadata
Compilation timestamp:
3/13/2014 11:13:50 PM


OS version:
5.1


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
11.0


CTPH (ssdeep):
12288:84lsXvtCcmVVXzzn4PJAahPl/QEdIMiVbHydEIJnJWUgaWL/Z3q9MmCS:84lavt0LkLL9IMixoEgeaWLh3q9MmCS


Entry address:
0x26BF7


Entry point:
E8, 97, CF, 00, 00, E9, 7F, FE, FF, FF, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 57, 56, 8B, 74, 24, 10, 8B, 4C, 24, 14, 8B, 7C, 24, 0C, 8B, C1, 8B, D1, 03, C6, 3B, FE, 76, 08, 3B, F8, 0F, 82, 68, 03, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 01, 73, 07, F3, A4, E9, 17, 03, 00, 00, 81, F9, 80, 00, 00, 00, 0F, 82, CE, 01, 00, 00, 8B, C7, 33, C6, A9, 0F, 00, 00, 00, 75, 0E, 0F, BA, 25, 70, A3, 4B, 00, 01, 0F, 82, DA, 04, 00, 00, 0F, BA, 25, 58, 01, 4C, 00, 00, 0F, 83, A7, 01, 00, 00, F7, C7, 03...
[+]



Code size:
560 KB (573,440 bytes)


Structural Variants
There are numerous known code variantions that share the same compilation structure.


2 / 68
shortcut_module.exe 3.6.2014.1 (ad2983aaa33065707e4187523caa6a06ac3c49fa)


2 / 68
~au3udhyuhz.exe 2.2.2014.2 (540486ae5bf52a33abd618415bc8f4b2c555556b)


2 / 68
~au3vpoktvf.exe 1.0.0.0 (3269a33084e797977573bb997a42d8a679321768)


1 / 68
pre_scan.exe (09206d641b8e4ee20a1e4d4025fe3c09824d4455)


1 / 68
~au3yawbrhx.exe (4bbb9ff63a7acc27a380ecc92890eca1b01f7c4c)


2 / 68
~au3wanosqq.exe (d044726147bb9413ec7c7f072f1646fd5feceb0b)


2 / 68
~au3vlfhhqc.exe (b6cfbb4413eaf132a07938d87ab116a3a36bb698)


1 / 68
~au3ldrpgmq.exe (3629fdf5cc8419c5d629401eedf437f452e5a1db)


1 / 68
~au3jhcxmru.exe (bc0ee0947f8da8f8a4def43b2666cb3ac5e6ab31)


3 / 68 (inconclusive)
~au3ficegir.exe (d2dbf1462b568490d2042c7d98952a44c71a3b3c)


1 / 68
~au3etwfodi.exe (92c1b01471ae4cc559523a1c1d40c97de224dd7b)


2 / 68
~au3dkcbhrl.exe (9a01d645b70bfcddffdc79c20b0df74fc2bda747)


0 / 68
~au3dfgarzc.exe (f2466362df3ca519a7918a18fa4f6af6eeab31b7)


1 / 68 (inconclusive)
~au3bhjjzgo.exe (f1c03ab084a89233a3da76bbb36caaacf54bdcfb)


1 / 68
~au3ammvosl.exe (5fefaef8038812918b1443af124de9c81f3a05a6)


Fuzzy Variants
The following files closely match quarantine.exe based on a fuzzy CTPH.


2 / 68
updateinstaller.exe [97% match] (ba681c907537da964bf48be3707862af01997895)


2 / 68
video.exe [97% match] (be95325e41555d11b5fbb268d2ab926592b9c791)


2 / 68 (Adware)
regadd.exe [97% match] (985445fb6145860c18bbe146cb2e4863aaea2ad8)


4 / 68 (Malware)
و يس ان هاك.exe [96% match] (0cd73f5ddd5058408d9146a7a5ccac0eb624706b)


6 / 68 (Malware)
w0rm.exe [94% match] (a06d5488afdad92de2183f890b94df248c9a21c5)
My System SpecsSystem Spec
.

17 Jul 2014   #94
Tousdae

Windows 7 Professional 64 bit
 
 

File name:{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi


MD5:fc26f8841215642da0cc98f66bc403ce


SHA-1:978bcbe29255fdc40ea200d1bda790490aa2bb66


SHA-256:982857a836929026f98d3e530e91c0ffe6194064f2b047312d560c472e65636f


Analysis
Scanner detections:
1 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/1/2014 8:52:05 AM UTC (four months ago)


Scan engine
Detection
Engine version


Dr.Web
Adware.FreeCause.3
9.0.1.0341


File Details
File size:
566.8 KB (580,368 bytes)


File type:
Cross-Platform Installer Module (XPI), used by Mozilla bundles


Common path:
C:\users\user\appdata\roaming\mozilla\firefox\profiles\user.default\extensions\{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi


Behaviors
Mozilla Extension
Name:
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi






Variants
0 / 68
{afe43e80-0abc-4df2-81a0-3fe44b74abe8}.xpi (f33793c353bafee0d369c031c7a14907a78bb7a0)
My System SpecsSystem Spec
17 Jul 2014   #95
Tousdae

Windows 7 Professional 64 bit
 
 

File name:iwinarcadelauncher.exe

Publisher:iWin, Inc (signed and verified)


MD5:28bd5ae31c863f05f5398b7668208435


SHA-1:28fc30b5eae707b86d2c3efc307dceb790a5fdcd


SHA-256:724c52bb6b902942e7d90264e5ed9ff258ba18bff5feccb47b7c5d31e8a3c975


Analysis
Scanner detections:
1 / 68


Status:
Inconclusive (not enough data for an accurate detection)


Analysis date:
3/6/2014 3:23:41 PM UTC (four months ago)


Scan engine
Detection
Engine version


Reason Heuristics
Unnamed.Threat.16
14.3.6.10


File Details
File size:
45 KB (46,128 bytes)


File type:
Executable application (Win32 EXE)


Common path:
C:\Program Files\iwin games\firefox\iwinarcadelauncher.exe


Digital Signature
Signed by:
iWin, Inc


Authority:
Thawte Consulting (Pty) Ltd.


Valid from:
11/16/2006 7:00:00 PM


Valid to:
11/16/2008 6:59:59 PM


Subject:
CN="iWin, Inc", OU=Secure Application Development, O="iWin, Inc", L=San Francisco, S=California, C=US


Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA


Serial number:
0484B0E7AC23C4FB5A9CBDCDC5249187


File PE Metadata
Compilation timestamp:
10/27/2006 4:09:39 AM


OS version:
4.0


OS bitness:
Win32


Subsystem:
Windows GUI


Linker version:
6.0


CTPH (ssdeep):
768:+f3VmVhsRI26KR+gO3iWn+Cyb9+6otVhyL3UF:Q3AkKBznexot3y4F


Entry address:
0x2A0E


Entry point:
55, 8B, EC, 6A, FF, 68, 38, 71, 40, 00, 68, 8C, 47, 40, 00, 64, A1, 00, 00, 00, 00, 50, 64, 89, 25, 00, 00, 00, 00, 83, EC, 58, 53, 56, 57, 89, 65, E8, FF, 15, 28, 70, 40, 00, 33, D2, 8A, D4, 89, 15, 78, 86, 40, 00, 8B, C8, 81, E1, FF, 00, 00, 00, 89, 0D, 74, 86, 40, 00, C1, E1, 08, 03, CA, 89, 0D, 70, 86, 40, 00, C1, E8, 10, A3, 6C, 86, 40, 00, 33, F6, 56, E8, D9, 1C, 00, 00, 59, 85, C0, 75, 08, 6A, 1C, E8, B0, 00, 00, 00, 59, 89, 75, FC, E8, 19, 1B, 00, 00, FF, 15, 24, 70, 40, 00, A3, 98, 8B, 40, 00, E8...
[+]



Entropy:
5.7237


Developed / compiled with:
Microsoft Visual C++ v6.0


Code size:
24 KB (24,576 bytes)


Structural Variants
0 / 68
iwinarcadelauncher.exe (f9220079bf7c3e024d44518a42665267ed263669)


Related
0 / 68
PGMTrusted.EXE (bde59574bf07fd2ea8a7aac2afe0801f702ab8c6)


0 / 68
iWinTrusted.EXE (43defd876ff0a3216a5585df50d98188ec1b055c)


0 / 68
iWinGames.exe (6714d26e0f84fb7a24cd0b6a2aa6c26caf1663dd)


0 / 68
PogoDGC.exe (ab5e39abd10cbc1be97c13bbfbab1442e15e5d5f)


1 / 68 (inconclusive)
WebUpdater.EXE (07e77f677619bfc46d3970caae3fe176abbf0d15)


13 / 68 (PUP)
iwingameshookie.dll (e8af7180dd6d8dfc2e281ed59c471f2af686f4ba)


0 / 68
Au_.exe (7ff6bcf7c280b243ac9eb565da559b952e199e15)


0 / 68
iWin_GDF.dll (a2f4c2a8be29c6f76748259d434d365ef571a8c8)


0 / 68
JewelQuest3.exe (23ffdb6966dd303d19ae1ed832e008c821144877)


0 / 68
uninstall.exe (67e36944b6557beaac849ff9e348c47bd3f70363)


0 / 68
AdminWorker.exe (82455d34481ca07539a8fc4faffbcc38fd519ff7)


0 / 68
WebInstaller.exe (84ce5ccca3ac382c34f28800cff149ab0f7c36e6)


0 / 68
JewelQuest2.exe (e49878aa54596f89d8f48089ff65414db8bfa336)


0 / 68
framework.dll (5eb28dd937fadfaa9a37bdc16e76e45096214144)


0 / 68
GamesManagerInitiator.exe (52ffcac3ffb98c96a8425ca5bcba457036abda87)


0 / 68
GamesManagerInstaller.exe (8fb0d2b73e06a9d9049bd6e2fe2828bec0b069d5)
My System SpecsSystem Spec
17 Jul 2014   #96
Tousdae

Windows 7 Professional 64 bit
 
 

I'm heading to bed. I'll check back tmr. Thank you.
My System SpecsSystem Spec
17 Jul 2014   #97
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

If iwinarcadelauncher is the last file (you can't scroll down any) then we'll just have to clean up Ask and quarantine

Copy the following line and paste it into the Windows Explorer address bar
C:\USERS\LI\APPDATA\LOCAL\TEMP
Press enter
post a screenshot
select quarantine
press the delete key

Clean up Ask

You'll have to close your browser for some of the steps and restarts are required. don't skip a step or the Ask cleanup won't be complete.

Download: http://apnmedia.ask.com/media/toolba...ApnRemover.exe
Close all open browser windows.
Then run the utility; after it completes, please restart your computer.
Restarting the computer is necessary to complete the removal.

Then check each browser installed on your system
Follow each step on this webpage - yep every browser on your system even if you don't use it.
The Ask toolbar doesn't care if you use it or not, it installs on every browser it finds on your system.
If a browser is not installed, go to the instructions for the next browser

Why can't I remove the Ask default homepage from my browser?
My System SpecsSystem Spec
17 Jul 2014   #98
Slartybart

x64 (6.3.9600) Win8.1 Pro & soon dual boot x64 (6.1.7601) Win7_SP1 HomePrem
 
 

It's getting late here, so I'll post the housekeeping stuff now.

Finish the quarantine and Ask cleanup, then

Uninstall HitmanPro from Control Panel > Programs & Features

Reset Windows Update (WU) so it matches this configuration
Trovi Virus - help to remove please-tousdae-wu.png
Run WU manually until there are no more updates offered. This will take a while.
Do NOT install anything else until your system is up to date
Check Microsoft Security Essentials - make sure it is active and scans are scheduled

I'll check back tomorrow, g'nite

Bill
.


My System SpecsSystem Spec
18 Jul 2014   #99
Tousdae

Windows 7 Professional 64 bit
 
 

I looked at some of the logs above. I have no idea what this Jewel Quest is. And iwin is just a thorn in the side!

I held down shift and scrolled up or down to highlight the info so it should all be there.

This is what happened when I clicked on the ApnRemover.exe


Attached Images
Trovi Virus - help to remove please-1.jpg 
My System SpecsSystem Spec
18 Jul 2014   #100
Tousdae

Windows 7 Professional 64 bit
 
 

... I can't do your first direction becuz I can't figure it out >.<
My System SpecsSystem Spec
Reply

 Trovi Virus - help to remove please




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
How do I remove this virus/malware url?
I tried programs and features and search, but came up empty. It constantly shows up in Firefox and Chrome ...
System Security
How to remove "trovi" addware
I HAVE installed a new crucial ssd m240 gig c drive,my files are kept seperat on another internal hard drive. heres the chronology: I did a clean win 7 install ,and all was ok, untill i downloaded avast ,Free version,thru ie browser. then I downloaded chrome to use as default browser. went back...
System Security
UI taken over by Trovi.com. How can I get rid of it?
Help! My user interface has been hijacked by something called trovi.com. It changed my primary search engine to Bing and blocked most of the things that I had set up in Google Chrome. I don't know how it got downloaded but I sure would like to get rid of it. Can somebody help? Thanks, Mark...
System Security
Can't remove a virus (or a PUP?) from my computer
Hello :D I somehow got 2 programs that cannot be removed. When I uninstall them, they just keep reappearing at boot. I don't know if that's a virus or a PUP, but it's really annoying. The 2 programs are "FixMyRegistry" and "SpeedUpMyComputer" by "SmartTweak" ( Who are the *******s behind...
System Security
win7 virus cant remove
On my dads laptop he downloaded this win7 antivirus, a little after he started having some computer problems. so i looked at it and soon realized that it was a fake antivirus, but it has been harming the computer now i cant even connect to the internet on it. ive tried everything, i uploaded norton...
System Security
Help Remove Virus
i had windows 7 installed than i installed XP...n i inserted a usb while using XP...the usb contained the "New Folder.exe" virus...n infected my windows....it also infected Windows 7....i formated both drives...now i only have windows 7 installed ... but the effects of the virus are still there......
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:10.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App